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Agenda 



Our "Targeted Voice Recorder" research 
addresses 

• Relevance - Extent of exposure 

• Simplicity - Anatomy of the attack 

• Protection - Mitigating controls 
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High Level Process Flow 
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Mobile Device Platforms 
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Android - Path of Least Resistance 



Volume of devices and growth 



Market fragmentation 




Lag for software updates 



Open platform 



Vetting controls 
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Proof of Concept - Overview 
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Objective: Obtain a voice recording of the user 
using the device (not phone call) 


Requires: 




X% 


Knowledge of their mobile device platform 


fj 


Physical or remote acquisition techniques 


^E^V 


A mobile app that can trigger at a specific location, 
act as a recorder and post recorded files 
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An app that is in the market place (ideally) 
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An app that can be remote controlled (ideally) 
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Simple but Efficient 
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Simple but Effective (Devastating) 



Voice recorder - > Targeted Individual 



~ 600 LOC 
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• Corporate Espionage 

• Insider Trading 

• Financial Gain 

• Political Gain 

• Competitive 
Advantage 

~ $few 
hundred 
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Proof of Concept - Application 






Functions 

-600 Lines of Code 

Polls a specific server for instructions (where to trigger, 

radius, duration) 

• Triggers on GPS co-ordinates (or derived location from GSM 
Network, Wireless etc) 

Records for 30 seconds. Continuous looping for demo. 

Permissions Required 

• access your location (GPS) 

• your personal information (contact info) 

• network communications (make outbound connections) 

• storage (store file) 

• hardware controls (record audio) 

Visibility 

• None - will operate in the background and not alert the 
owner it is triggered (although PoC app presents logging 
information on the screen for demo purposes, and 
vibrates to indicate recording!) 
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Anatomy of the Attack 
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Anatomy of the Attack 
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Set the GPS Co-ordinates 

for Desired Recording 

Location on server 



y 



\ 



App Polls Attacker's 

Server & Downloads 

GPS Co-ord's 
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Anatomy of the Attack 
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Recording File sent to 
Attacker's Server 
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Demo 
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Physical Acquisition 



No pin/password controls by default; 
Not complex by default 
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Remote Identification & Acquisition 
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Email Trailer 
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Sent from my HTC Velocity 4G on the Next G network 



Jser Agent Info 
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Spear Phishing 
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Broader Implications 




Access to Personal or Corporate Email 



Access to SMS 



Access to Images 



Access to Network (personal, wireless, corporate, VPN) 



Access to Corporate Apps & Data 



Send SMS to Premium Rated Services "Toll Fraud" 
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Controls and Mitigations 



Controls that will assist in addressing this issue 

I APP 
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Whitelist specific applications (or blacklist 2 nd pref) 



Educate users on best practices regarding mobile 
devices 



Strong alphanumeric passcode; smudge protection 



m a 



Restrict default apps and resources such as browser, 
camera, YouTube, and Google Play 



#U'# 



n. senseofsecurity.com. a 



©Sense of Security 2012 



1/06/2012 



* Security 



Controls and Mitigations 



Other MDM controls that should be considered ... but won't all address this issue 



Bring corporate and employee-owned phones under 
centralised IT management 




Connect mobile devices securely to enterprise 
resources including email, Wi-Fi and VPN 



Enforce security policies to protect corporate data 



Configure device security such as encryption of data- 
at-rest and passcodes 



Enforce secure bring your own device (BYOD) policies 
if you allow staff to use their devices inside the 
network 
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Controls and Mitigations 
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Keep highly confidential data off mobile devices 

No removable media such as SD cards allowed in 
corporate mobile devices 

Block attachment execution or downloading to the SD 
card 

Detect rooted devices and remote wipe when found 

Internal segregation controls on what access mobile 
devices have inside the network 
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Controls and Mitigations 
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Expedite handling to secure lost, stolen or retired 
smartphones through full and selective wipe 






► 


Rogue app protection as well as inventories of 
installed apps 
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Ensure anti malware/anti virus is up to date 
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Define and enforce allowed device types, OS, and 
patch levels 
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Mobile Device Platforms 



These attacks are valid across the other major platforms. 
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SOS Research 
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Special note of thanks to 
the dedicated, motivated 
and highly talented team 
at SOS. 

This presentation is the 
culmination of a research 
program delivered through 
effective collaboration, 
teamwork and 
perseverance to push the 
envelope on the cutting 
edge. 
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Conclusion 



Extreme exposure 
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Severe implications for privacy of the individual 



Severe implications for confidentiality of information for 
business/ government 

The fact that every person has/ will have a mobile device means 
that every person is a walking/ moving/ sitting voice/ video recorder 
that can be exploited 

Remote control capability to spy extends the scope and 
risk 



MDM controls are good for general security - but not all 
will address this issue 



Requires user education; however curiosity of users and 
inclination to trust will result in continued exposure 
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Questions? 
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Thank you 



Recognised as Australia's fastest growing information 
security and risk management consulting firm through the 
Deloitte Technology Fast 50 & BRW Fast 100 programs 

Owner of trademark and all copyright is Sense of Security Pty 
Ltd. Neither text or images can be reproduced without written 
permission. 



This presentation will be published at 
http://www.senseofsecurity.com.au/research/presentations 

Whitepaper will be published at 

http://www.senseofsecurity.com.au/research/it-security- 

articles 

Attribution - icons from iconfinder.com 
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